Information Resource Management Directive 5000.14 USAP Software Management and Protection



Similar documents
Information Resource Management Directive USAP Information Security Architecture

Information Resource Management Directive USAP Information Security Risk Management

Information Resource Management Directive USAP Contingency & Disaster Recovery Program

Information Resource Management Directive The USAP Security Assessment & Authorization Program

Information Resource Management Directive USAP Information Security Awareness, Training and Education Program

Information Resource Management Directive USAP Information Security Incident Management

United States Antarctic Program Information Resource Management Directive The USAP Information Security Program

Data Management Policies. Sage ERP Online

Online Security Awareness - UAE Exchange - Foreign Exchange Send Money UAE Exchange

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 2 Systems Threats and Risks

PC Security and Maintenance

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

CIT End User Device Policy

COMPUTER-INTERNET SECURITY. How am I vulnerable?

Computer Security Maintenance Information and Self-Check Activities

ANTI-VIRUS POLICY OCIO TABLE OF CONTENTS

(Self-Study) Identify How to Protect Your Network Against Viruses

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

Network Security and the Small Business

Version: 2.0. Effective From: 28/11/2014

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

STANDARD ON CONTROLS AGAINST MALICIOUS CODE

Information System Rules of Behavior ICT-INST_ USAP Enterprise Information Infrastructure

Intruders and viruses. 8: Network Security 8-1

When you listen to the news, you hear about many different forms of computer infection(s). The most common are:

Consensus Policy Resource Community. Lab Security Policy

Ohio University Computer Services Center October, 2004 Spyware, Adware, and Virus Guide

1 Introduction. Agenda Item: Work Item:

Malware, Spyware, Adware, Viruses. Gracie White, Scott Black Information Technology Services

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

S3 Control and System Call Indirection

Cyber Security Awareness

Malicious Software. Ola Flygt Växjö University, Sweden Viruses and Related Threats

Cyber Security Awareness

Contact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details:

Guidelines for Account Management and Effective Usage

Desktop and Laptop Security Policy

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

What are Viruses, Trojans, Worms & Spyware:

Antivirus Best Practices

Top tips for improved network security

Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them

How To Monitor The Internet In Idaho

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

COMMUNITY COLLEGE SYSTEM OF NEW HAMPSHIRE

How to easily clean an infected computer (Malware Removal Guide)

The purpose of this policy is to provide guidelines for Remote Access IPSec or Virtual Private

Cryptography and Network Security Chapter 21. Malicious Software. Backdoor or Trapdoor. Logic Bomb 4/19/2010. Chapter 21 Malicious Software

IBM Endpoint Manager for Core Protection

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

Computer Viruses: How to Avoid Infection

100% Malware-Free A Guaranteed Approach

Uncover security risks on your enterprise network

Responsible Administrative Unit: Computing, Communications & Information Technologies. Information Technology Appropriate Use Policy

N-CAP Users Guide. Everything You Need to Know About Using the Internet! How Worms Spread via (and How to Avoid That)

How To Audit The Mint'S Information Technology

G/On. Basic Best Practice Reference Guide Version 6. For Public Use. Make Connectivity Easy

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

Module 5: Analytical Writing

1 Introduction. Agenda Item: Work Item:

Franciscan University of Steubenville Information Security Policy

Computer Security DD2395

Cloud-Client Enterprise Security Impact Report Increased Protection at a Lower Cost

Virus Definition and Adware

Introduction. PCI DSS Overview

ESET CYBER SECURITY PRO for Mac Quick Start Guide. Click here to download the most recent version of this document

Is your data secure?

Incident categories. Version (final version) Procedure (PRO 303)

Airtel PC Secure Trouble Shooting Guide

TECHNICAL VULNERABILITY & PATCH MANAGEMENT

University System of Maryland University of Maryland University College

Management and Security Good Practice Guide. August 2009

CBI s Corporate Internet Banking Inquiry Services gives you the ability to view account details and transactions anytime, anywhere.

Network and Workstation Acceptable Use Policy

Lectures 9 Advanced Operating Systems Fundamental Security. Computer Systems Administration TE2003

Get Started Guide - PC Tools Internet Security

COB 302 Management Information System (Lesson 8)

Data Management & Protection: Common Definitions

UMHLABUYALINGANA MUNICIPALITY ANTIVIRUS MANAGEMENT POLICY

Capital District Vulnerability Assessment

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Network Security: From Firewalls to Internet Critters Some Issues for Discussion

Biological Sciences Computer Systems

CSP & PCI DSS Compliance on HP NonStop systems

PROTECT YOUR COMPUTER AND YOUR PRIVACY!

1. Threat Types Express familiarity with different threat types such as Virus, Malware, Trojan, Spyware, and Downloaders.

Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Global Headquarters: 5 Speen Street Framingham, MA USA P F

ACS-3921/ Computer Security And Privacy. Lecture Note 5 October 7 th 2015 Chapter 5 Database and Cloud Security

AVG File Server. User Manual. Document revision ( )

Chapter 14 Computer Threats

Guideline for Prevention of Spyware and other Potentially Unwanted Software

Odessa College Use of Computer Resources Policy Policy Date: November 2010

ViRobot Desktop 5.5. User s Guide

How To Understand What A Virus Is And How To Protect Yourself From A Virus

NETWORK AND INTERNET SECURITY POLICY STATEMENT

Transcription:

The National Science Foundation Polar Programs United States Antarctic Program Information Resource Management Directive 5000.14 USAP Software Management and Protection Organizational Function Policy Category Subject Information Resource Management Information Security Policies and Instruction Software Management & Protection Policy Number Issue Date Effective Date Updated Authorized By 5000.14 1 August 2004 1 August 2004 15 May 2013 Section Head, NSF/GEO/PLR/AIL Office of Primary Responsibility National Science Foundation Geosciences Directorate Division of Polar Programs Antarctic Infrastructure & Logistics Responsible Official Primary Responsibility: Mr. Patrick D. Smith Technology Development Manager Address Distribution Online Publication Suite 755 4201 Wilson Blvd Arlington, VA 22230 USAP-Wide Phone Fax Web Status http://www.usap.gov/technology/contenthandler.cfm?id=1563 Security Responsibility: Ms. Desari Mattox USAP Information Security Manager 703.292.8032 703.292.9080 http://www.nsf.gov/div/index.jsp?div=plr Final Policy 1. PURPOSE This policy establishes the guidelines for the management and protection of software used within the National Science Foundation (NSF), Geosciences Directorate (GEO), Polar Programs (PLR), United States Antarctic Program (USAP). 2. BACKGROUND Software within information systems must be properly managed to ensure compliance with law and federal regulations regarding licensing and copyright infringement, and to protect against the effects of malicious applications. Page 1

ICT_POL_Software-Management-and-Protection_5000.14 Effective Date: 1 August 2004 3. GUIDING PRINCIPLES Proper licensing of software applications is essential to security of the USAP information infrastructure Current protective applications ensure the continuation of science and operations mission activities 4. POLICY The USAP IT staff will manage all software used on USAP information systems to ensure appropriate licensing requirements are implemented. All USAP information systems will use some form of protection against malicious applications. 4.1 Operational Definitions 4.1.1 Malicious Application Class of programs designed to cause some form of intentional damage, unauthorized access, or unexpected result to a system or network. Often referred to as malware, and includes viruses, Trojan Horses, worms, and logic bombs. Attackers typically pass malware via email attachments, shared files, or removable media. 4.1.2 Virus A program that is attached to an executable file or vulnerable application, and typically will deliver an unwanted function that ranges from annoying to extremely destructive. A virus usually copies or sends its code to other programs or recipients. An executable email attachment that deletes other files when it is opened is an example of a virus. Viruses can also lay dormant and later be triggered by events such as date or keystrokes. The term virus is often ubiquitously used to describe any form of malicious application. 4.1.3 Trojan Horse A Trojan horse is an apparently useful, deliberately placed program or procedure, which contains hidden code that, when invoked, performs some unwanted function. Trojan horses may arrive hidden in software such as a game or graphics program. 4.1.4 Worm A worm program has the primary goals of replication and propagation. A worm can typically make a copy of itself without needing to modify a host. A worm may (or may not) do things other than propagate. In the process of propagation, it may also have the effect of displacing storage space and bandwidth, which can slow down the affected systems. A worm program replicates itself and moves through shared network connections, emails, websites, removable media, unsecured ports, back doors (openings left by software vulnerabilities or malicious code), or other security holes, to infect other machines on the network. Viruses are often paired with a worm so that they can be spread faster and more broadly. Page 2

4.1.5 Logic Bomb A program or setup which causes an endless loop cycle or other logic failure (like division by zero) thus hijacking system resources and/or eventually cause a failure. A complete computer lockup caused by opening an executable, which triggers an endless program loop is an example of a logic bomb. An email account that is set to autoforward its mail to another email account that is already forwarding email to the first account is an example of a logic bomb setup. The inbox on both email accounts will continue to expand until a failure occurs in one. 4.1.6 Spyware An application that obtains information about a user, then reports that information to a collector for statistical analysis and other purposes. Spyware is often loaded without the user s awareness, and may sometimes be used to assist with an attack against the user, their systems, or their network. 4.2 General Policy Statements The term virus protection is used synonymously to mean malicious code protection in this section. 4.2.1 Use of Malicious Code Protection Software All USAP computers (desktops, laptops, personal digital assistants, etc.) connected to the USAP network must use the USAP approved virus protection software. Non-USAP computers connecting to the USAP network must meet vulnerability management requirements, including applicable anti-virus software requirements, before connecting to the USAP network. 4.2.2 Malicious Code Protection Software Status All computers connecting to the USAP network infrastructure must have the latest version of virus protection software installed and enabled. 4.2.3 Malicious Code Protection Settings The virus protection program settings must be configured for maximum effectiveness. In situations where this approach may interfere with the optimal performance of the affected system, the system owner will need to obtain a waiver from NSF PLR. 4.2.4 Malicious Code Protection Software Update Frequency The update frequency of the virus protection software must be as soon as available from the vendor, and automatic where possible for all computers connecting to the USAP network. Systems that do not maintain current protection software will be removed from the network until their protection software is updated to the appropriate version. Page 3

4.2.5 File Servers All USAP file servers must use USAP approved virus protection software, and be setup to detect and clean viruses that may infect files. Non-USAP file servers connecting to the USAP network must meet virus protection requirements before connection. 4.2.6 Email Gateways Each USAP email gateway must use approved e-mail virus protection software and adhere to established rules for the setup and use of the software. Non-USAP email gateways connected to USAP networks must meet USAP system interface requirements, to include the need to address vulnerability management and virus protection. 4.2.7 Software Licenses The USAP IT staff will ensure that all software used by USAP systems is properly licensed. Users and owners of non-usap systems are responsible for ensuring their software is properly licensed. Any system using unlicensed software will be disconnected from the network until the licensing discrepancy is rectified. 4.2.8 Software License Records The USAP prime contractor will ensure that all USAP software licenses are recorded by some mechanism, such as a central database, to be able to show proof of software license compliance. Non-USAP users, that have approved software, must be able to show proof of software compliance prior to connection to the USAP information infrastructure. 5. APPLICABILITY AND COMPLIANCE This policy applies to all information resources, systems, and technology and to all users of these resources, systems and technology within the USAP operating environment or connected to the USAP information infrastructure. Compliance with this policy is as indicated in USAP Information Resource Management Directive 5000.01, The USAP Information Security Program. 6. RESPONSIBILITIES In addition to the responsibilities identified in USAP Information Resource Management Directive 5000.01, The USAP Information Security Program, the following officials have specific responsibilities related to Software Management and Protection. 6.1 USAP Information Security Manager (ISM) The USAP ISM coordinates the implementation of the Software Management and Protection process across the USAP. 6.2 USAP Participant Organizations Each USAP participant organization will establish a process and procedures to ensure all software is properly licensed and all appropriate steps are taken to manage know vulnerabilities and address antivirus requirements. Page 4

7. IMPLEMENTING SOFTWARE MANAGEMENT AND PROTECTION 7.1 Implementation Each USAP participant organization will develop appropriate policies, processes, standards, and procedures to implement the USAP Information Security Software Management and Protection program. USAP participant organizations will publish procedures as appropriate to implement this program to comply with this policy. The USAP ISM will ensure that these procedures are uniformly administered across all sites. All users of the USAP infrastructure will ensure their systems comply with this policy. 7.2 Software Management and Protection - Program Administration The ISM will delegate, as necessary, administration of the Information Security Software Management and Protection program to competent personnel. Procedures for maintaining most current malicious code protection software installed and enabled on all USAP computers will be developed and made available to all users of USAP information resources. Procedures for ensuring software licensing compliance will be developed and made available to all users of USAP information resources. 7.3 Non-USAP Systems Owners and operators of Non-USAP systems will ensure their systems use properly licensed software and implement appropriate measures to manage known vulnerabilities when their systems are connected to the USAP information infrastructure. 8. AUTHORITY Publication of this policy is in conformance with the authority of the National Science Foundation Act of 1950, as amended and extended, the Federal Information Security Management Act of 2002 and NSF guidance. Brian Stone Section Head, NSF/GEO/PLR/AIL Page 5

REVISION/CHANGE RECORD Pages Date Version Author/Reviewer Reason for Change All 6/9/2011 1.0 Matthew Rogers All 5/3/2012 2.0 Alex Jerasa All 5/15/2013 3.0 Desari Mattox Verified alignment with NIST Special Publication 800-53 Revision 2. Changed ISM name. Updated key contacts and conducted FY12 review Updated OPP and AIL titles to align with NSF re- organization & Verify alignment with NIST SP 800-53 rev 3. Page 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information